Discussion:
TSIG DDNS and windows clients
(too old to reply)
Pete Fry
5 years ago
Permalink
All

I've inherited a BIND environment and i'm trying to understand a few things
as currently we are experiences an issue related to DDNS.

we have

site 1
hostA

site 2
hostB

We have a HArecord, and we want HostA or HostB to be able to update the
HArecord (i.e. failover cluster type configuration)

config:
Zone file:

zone "TEST" {
check-names ignore;
type master;
file "/var/named/dynamic/TEST";
allow-update {
auth-dns;
dynamic-TEST;
};
};

lists.conf

acl dynamic-update-ads {
192.168.2.1 // hostA
192.168.5.1 // hostB
dynamic-TEST-tsig;
};

acl dynamic-TEST-tsig {
// any host which is not..
!{
// not in the new acls
!dynamic-test-site1;
!dynamic-test-site2;
any;
};
// but has the key
key TEST-key;
};


acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};

acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};

however these windows machines keep saying bad key, I know i'm missing
something obvious but how do i get this to work?

happy to be able to give the key to the windows boxes if anyone knows
but i'm drawing a blank

Regards

Cade
Bob Harold
5 years ago
Permalink
On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
...
For testing purposes, start with a simpler acl, like:

acl dynamic-TEST-tsig {
key TEST-key;
};

And see if that works.
Post by Pete Fry
acl !dynamic-test-site1 {
192.168.2.1/32; // HostA
};
acl !dynamic-test-site2 {
192.168.5.1/32; // HostB
};
"acl !" seems wrong to me. Is that a legal syntax? And if so, what does
it mean?
--
Bob Harold
Post by Pete Fry
however these windows machines keep saying bad key, I know i'm missing something obvious but how do i get this to work?
happy to be able to give the key to the windows boxes if anyone knows but i'm drawing a blank
Regards
Cade
Ben Croswell
5 years ago
Permalink
Is it possible the clients are trying to do kerberos GSS-TSIG updates?

On Tue, May 12, 2020, 5:58 AM Pete Fry via bind-users <
...
Pete Fry
5 years ago
Permalink
Bob
thanks for the reply and the correction ( the acl dones't have a ! it was a
cut and paste error when i was trying to remove some information.

the TSIG works when from other linux machine via nsupdate etc, however i'm
trying to figure out how to get the windows machines to do the same and was
trying to follow this

http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-
allow-update

Regards

Pete
...
Bob Harold
5 years ago
Permalink
Post by Pete Fry
Bob
thanks for the reply and the correction ( the acl dones't have a ! it was
a cut and paste error when i was trying to remove some information.
the TSIG works when from other linux machine via nsupdate etc, however i'm
trying to figure out how to get the windows machines to do the same and was
trying to follow this
http://serverfault.com/questions/376578/bind9-combining-key-and-acl-for-
allow-update
Regards
Pete
Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG, not
regular TSIG. Not sure how or if that can be solved.
--
Bob Harold
...
Grant Taylor
5 years ago
Permalink
Your ACL looks right.  I think Ben has the key - Windows uses GSS-TSIG,
not regular TSIG.  Not sure how or if that can be solved.
I would bet someone a coffee and doughnut that it can.

Check out Jan-Piet Mens' article:

Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
-
https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/
--
Grant. . . .
unix || die
Bob Harold
5 years ago
Permalink
On Wed, May 13, 2020 at 3:49 PM Grant Taylor via bind-users <
Post by Grant Taylor
Post by Bob Harold
Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG,
not regular TSIG. Not sure how or if that can be solved.
I would bet someone a coffee and doughnut that it can.
Link - RFC 2136 Dynamic DNS Updates using GSS-TSIG and Kerberos
-
https://jpmens.net/2012/06/29/dynamic-dns-updates-using-gss-tsig-and-kerberos/
--
Grant. . . .
unix || die
Thanks for the link. Lots of pieces to get working there. Not nearly as
simple as TSIG. But good if you are already using Kerberos.
--
Bob Harold
Paul Ebersman
5 years ago
Permalink
rharolde> Thanks for the link. Lots of pieces to get working there. Not
rharolde> nearly as simple as TSIG. But good if you are already using
rharolde> Kerberos.

MS active directory is kerberos under the hood. You don't need to run a
classic mit/hesiod KDC to get GSS-TSIG to work. But it is cryptic and a
pain.
Pete Fry
5 years ago
Permalink
Bob

after a few wireshark sessions etc we have identified this issue is due to
NAT from one of the sites we are sorting this out now and hopefully it
should fix

thanks for your help
...
Loading...